From 7d8e59de0062ff9312c5e97b4a409d43271f5f81 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Sun, 19 Jul 2020 17:36:19 +0530 Subject: [PATCH] mqtt: Add support for Digital Signature (through ESP-TLS) Digital Signature enables hardware accelerated RSA signature for TLS handshake.The RSA private key(client key) is also stored in encrypted format and ecryption key is stored in hardware(efuse) which adds additional level of security for mutual authentication. * Digital Signature is only supported for ESP32-S2. Applicable IDF version >= v4.3 --- include/mqtt_client.h | 4 ++++ include/mqtt_supported_features.h | 5 +++++ mqtt_client.c | 16 ++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/include/mqtt_client.h b/include/mqtt_client.h index 020d026..e365cb8 100644 --- a/include/mqtt_client.h +++ b/include/mqtt_client.h @@ -14,6 +14,9 @@ #include "mqtt_config.h" #include "esp_event.h" +#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL +#include "rsa_sign_alt.h" +#endif #ifdef __cplusplus extern "C" { @@ -184,6 +187,7 @@ typedef struct { int out_buffer_size; /*!< size of MQTT output buffer. If not defined, both output and input buffers have the same size defined as ``buffer_size`` */ bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field, this reduces the security of TLS and makes the mqtt client susceptible to MITM attacks */ bool use_secure_element; /*!< enable secure element for enabling SSL connection */ + void *ds_data; /*!< carrier of handle for digital signature parameters */ } esp_mqtt_client_config_t; /** diff --git a/include/mqtt_supported_features.h b/include/mqtt_supported_features.h index 3be0f30..9f1acf2 100644 --- a/include/mqtt_supported_features.h +++ b/include/mqtt_supported_features.h @@ -53,5 +53,10 @@ #define MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT #endif +#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 3, 0) +// Features supported in 4.3 +#define MQTT_SUPPORTED_FEATURE_DIGITAL_SIGNATURE +#endif + #endif /* ESP_IDF_VERSION */ #endif // _MQTT_SUPPORTED_FEATURES_H_ diff --git a/mqtt_client.c b/mqtt_client.c index e1a3b67..aff0809 100644 --- a/mqtt_client.c +++ b/mqtt_client.c @@ -82,6 +82,7 @@ typedef struct { const struct psk_key_hint *psk_hint_key; bool skip_cert_common_name_check; bool use_secure_element; + void *ds_data; } mqtt_config_storage_t; typedef enum { @@ -222,6 +223,20 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle goto esp_mqtt_set_transport_failed; #endif /* MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT */ } + + if(cfg->ds_data != NULL) { +#ifdef MQTT_SUPPORTED_FEATURE_DIGITAL_SIGNATURE +#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL + esp_transport_ssl_set_ds_data(ssl, cfg->ds_data); +#else + ESP_LOGE(TAG, "Digital Signature not enabled for esp-tls in menuconfig"); + goto esp_mqtt_set_transport_failed; +#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */ +#else + ESP_LOGE(TAG, "Digital Signature feature is not available in IDF version %s", IDF_VER); + goto esp_mqtt_set_transport_failed; +#endif + } ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_CERT, cfg->clientcert_buf, cfg->clientcert_bytes), goto esp_mqtt_set_transport_failed); ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_KEY, cfg->clientkey_buf, cfg->clientkey_bytes), @@ -473,6 +488,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl cfg->psk_hint_key = config->psk_hint_key; cfg->skip_cert_common_name_check = config->skip_cert_common_name_check; cfg->use_secure_element = config->use_secure_element; + cfg->ds_data = config->ds_data; if (config->clientkey_password && config->clientkey_password_len) { cfg->clientkey_password_len = config->clientkey_password_len;